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1 SUMMARY 


1.1 SIL Assessment Results 


Eleven existing, and three new IPFs, were reviewed and assessed. Of these one 
was assessed as IL 2, four as IL 1, and the remaining nine as ILO. 


It should be noted that the IL 2 rating for 90-PIT-001 HH at the inlet of the Hydra 
facilities is the result of the poor reliability of the existing upstream protection 
systems on individual wells. If this reliability can be improved, as it should be, then 
the IL rating would reduce to IL 1. 


It should also be noted that the requirements for 90-TIT-O03 HH on the cooler exit, 
and hence the appropriate IL rating, will depend on a detailed review of the way in 
which this IPF should provide protection. 


It is recommended that one IPF, the low level trip on the cold vent drum, should be 
removed as it appears to have no beneficial purpose. 


Three groups of IPFs were not reviewed, These were: those in vendor packages, 
which have not yet been defined in any detail; those in the fuel gas system, where 
the design is likely to be changed to meet the new requirements of the selected gas 
engine; and 90-XAT-001/2/3/4 HH on the cooler fans, whose function is not clear. 


1.2 Difficulties Experienced During the Execution of the SIL Study 


Two specific difficulties were identified during the execution of the SIL assessment, 
though there was some debate as to the possible conflict between the design 
philosophies that had been applied to the Qasr facilities and current new-build codes 
and standards. 


It became evident during the SIL assessment that the so-called HIPPS protection 
system on each well, that in theory would prevent overpressure of the pipeline, was 
essentially only a high integrity detection system, and that the protection system was 
demonstrably unreliable. Whilst this system is not within the scope of the current SIL 
assessment, it is a major cause of concern which should be addressed by KPC asa 
matter of urgency. 


It was also made clear during the discussions, that there was no way in which 
additional protection at the Hydra facility could solve this upstream problem. 


The high temperature trip at the outlet of the coolers also posed a dilemma. The 
purpose of restricting the temperature is to keep the rate of corrosion in the carbon 
steel pipeline to an acceptable minimum. However, if the temperature inlet the 
pipeline should increase then a) there will not be an immediate increase in the rate of 
corrosion since corrosion inhibitor is already in the pipeline, and b) there is no clearly 
defined threshold at which action should be taken. 
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3 INTRODUCTION 


3.1 Project Background 


Hydra is a hot, normally pressured gas condensate field located in the Western 
Desert of Egypt that is being developed by Khalda Petroleum Company (KPC), a 
joint-venture company between Apache Corporation and EGPC (Egyptian 
Government Petroleum Company). 


The field is located approximately 21km south of the Obayied Gas Plant and to the 
north of the Qasr field and approximately 8km to the south west of the pipeline that 
runs from the Shams manifold to the Obayied Gas Plant. 


Genesis has been commissioned to undertake the detailed design of Phases | and II 
of the Hydra Gas Development Project. 


Phases | and II involve installing Hydra facilities which accommodate the fluids only 
in early field life when the pressures are sufficiently high to free flow to the host 
facilities. Fluids will be cooled and separated via a three phase separator. The 
separated gas and condensate will be comingled and transported to EOL for further 
processing via the existing Shams to EOL carbon steel pipeline. Water will be further 
processed and disposed of locally. 


3.2 Terms of Reference 


The Terms of Reference for the SIL are set out in the HAZID, HAZOP and SIL Terms 
of Reference, Reference 1. 


3.3 Scope of SIL Study 


The scope of the SIL Study is confined to the facilities provided as part of the Hydra 
Gas Development Project, and only applies to the Genesis scope of work. 


The project is to be executed in three main phases: 


e Phasel: Installation of the cooler; 
e Phase Il: Installation of the separator and its associated facilities; and 
e Phase Ill: Installation of gas compression. 


This SIL only covers Phases | and II, Phase III will be reviewed at a later date. 
3.4 Purpose of SIL 


A number of measures are used on the Hydra Gas Development Project facilities to 
control the process risk (safety, environmental and financial). Some of these 
measures are implemented using Instrumented Protective Functions (IPF). It is 
necessary to assess the degree of reliance on these IPFs to control the risk to a 
tolerable level. This is established by categorising the Safety Integrity Level (SIL) 
required for each IPF. 


The assessment has been done in line with guidance provided in IEC 61511 (Ref. 2- 
4), using the calibrated Risk Graph approach as set out in more detail in section 4 of 
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this report. This approach relies on grading a number of parameters that describe 
the nature of the incident and its potential impact on risk: 


° Consequence severity (number and vulnerability of people affected); 
° Personnel exposure; 

° Alternatives to avoid danger; and 

° Demand rate. 


The grading has been carried out without taking credit for the IPF so that the 
criticality of the IPF could be established. 


The SIL assessment has been undertaken with reference to the first two phases of 


execution of the project. 


3.5 SIL Assessment Team Members 
The SIL assessment was performed by the personnel listed in Table 3-1. 


Table 3-1 HAZID Attendees 


Name Position 
1 Rod Bayliss HAZID Chairman 
2 Yan Chan Scribe 
KPC 
3 Mark Konecki Deputy Gas Operations Manager 
4 Neil Clark Project Manager 
5 Mike Chalmers Process Engineer 
6 Ahmed Mohamed Yousef Instrument Engineer 
7 Osama Said Ismail Instrument Engineer 
8 Samir Said Aly HSE General Manager 
9 Mohamed Ismail Soliman Project Manager 
10 Ismail Shoukry Senior Process Engineer 
11 Mohamed Osman Process Engineer 
12 Abdelrahman Mohammed Process Engineer 
13 Ahmed Abdel Monim Gamal Process Engineer 
14 Said Tamam Section Head, Gas Operations 
Genesis 
15 David Fergusson Project Management 
16 Sam Richardson HSE Engineer 
17 Omar Rashad Process Engineer 
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3.6 SIL Assessment Date 


The SIL assessment was performed on Thursday 6th June 2013 in the KPC offices 
in Cairo. 


3.7 SIL Overview 


The SIL assessment methodology set out in IEC 61511 requires that all the IPFs 
have been identified by a preceding hazard and risk analysis. All the current IPF’s 
included in the design of the Hydra Gas Development Project were identified in the 
preceding HAZID and HAZOP studies, and three new IPFs were also proposed 
during the HAZOP. 


The approach to SIL assessment has been based on IEC 61511, using a calibrated 
risk graph method. Separate risk graphs were used for safety, environmental 
damage and financial loss. 


SIL 4 systems would be regarded as unacceptable and, if determined, additional 
means of protection shall be required to reduce the SIL to an acceptable value. 


3.7.1 Inclusions 


The review has assessed all the IPF’s included in the design of the Hydra Gas 
Development Project to protect against, or to mitigate the consequences of 
unplanned deviations from normal operating conditions that affect safety, 
environmental and financial risk from: 


° Process Elements; 


e Hazardous utilities. 


The IPFs were identified by reference to the ESD Cause and Effect matrices, and 
the P&IDs. 


3.7.2 Exclusions 


The following IPFs were not considered: 


° Permissives (e.g. instruments that allow a control action to occur, or 
prevent a control action from occurring; 


° Vendor packages (for which only an indicative system design is shown 
on the P&ID) which shall be subject to separate HAZOP and SIL ata 
later date (if required) once details are available from vendor(s); 


° Spurious trip integrity affecting production loss (revealed failures). 
3.8 Safety Action Management System (SAMS) 


The key study actions and recommendations arising from the SIL are captured, and 
will be tracked to completion, in the SAMS register in accordance with the Genesis 
procedure CPR-ENG-PR-0117 (Ref.5). 
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This register lists all actions arising from the HAZID / HAZOP / SIL workshops in a 
simple spreadsheet format for action and information. It also includes all 
recommendations for further work contained in any other formal safety studies and 
any HS&E concerns formally raised by discipline engineers. The register will 
indicate the status of all actions at the end of design and where these actions have 
been addressed in the project documentation. 


3.9 SIL Assessment Assumptions 


e The Hydra facilities will be unmanned during Phases | and II, and will not be 
permanently manned until Phase III; 


e Routine operator visits to the Hydra facilities are expected to be roughly every 
one or two weeks; 


e The facilities are designed to minimise ignition sources: 


o Hazardous Area Classification will ensure that electrical equipment is 
appropriate to the area; 


o There is no flare system in Phases | and II, only a cold vent system; 
o Exhausts from diesel and gas engines will be in non-hazardous areas; 
o Hot work will be controlled by the Permit to Work system. 

e The current design does not provide utility air or nitrogen; 


e Facilities will be kept simple, so far as is reasonably practicable, to minimise 
the requirement for operational and maintenance visits; 


During Phase | operation: 


e There will be no cold vent system, and manual vents will discharge locally 
(though they may be manifolded to facilitate connection into Phase II); 


e Power will be provided by one or more temporary diesel generators; 


e There will be no closed drain system, but connections will be provided to allow 
local drainage of liquid into appropriate containers. 


3.10 Difficulties Experienced During the Execution of the SIL Study 


Two specific issues were identified during the execution of the SIL assessment, 
though there was some debate as to the possible conflict between the design 
philosophies that had been applied to the Qasr facilities and current new-build codes 
and standards. 


It was stated during the HAZOP that the pipeline was protected from overpressure 
by a dedicated HIPPS and full-flow PSV on each well. In theory, this should prevent 
fluids arriving at the Hydra facilities from exceeding the Hydra system design 
pressure. However, it became evident during the SIL assessment that the so-called 
HIPPS was essentially only a high integrity detection system, and that the protection 
system was demonstrably unreliable. Whilst this system is not within the scope of the 
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current SIL assessment, it is a major cause of concern which should be addressed 
by KPC as a matter of urgency. 


It was also made clear during the discussions, that there was no way in which 
additional protection at the Hydra facility could solve this upstream problem. 


The high temperature trip at the outlet of the coolers also posed a dilemma. The 
purpose of restricting the temperature is to keep the rate of corrosion in the carbon 
steel pipeline to an acceptable minimum. However, if the temperature inlet the 
pipeline should increase then a) there will not be an immediate increase in the rate of 
corrosion since corrosion inhibitor is already in the pipeline, and b) there is no clearly 
defined threshold at which action should be taken. 


3.11 Recommendations for Further Studies 


There are no recommendations for further new studies, though there are four 
specific actions arising from the SIL assessment. Further SIL assessments will be 
required for vendor packages, and the fuel gas system. 


Phase Ill is outside the scope of the current review. 
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4 METHODOLOGY 


4.1 Approach 


In view of the small number of IPFs, it was not considered necessary to screen out 
systems with zero or limited potential for safety, asset or environmental loss. 


The assessment process involved several repetitive steps for each of the IPF loops: 
1. Identify loop (record tag and P&ID No.); 


2. Determine the functionality of the loop, and potential hazard(s) being 
protected against; 

3. Identify all significant causes for demand; 

4. Evaluate potential consequences (without risk reduction measures); 


5. Determine Safety IL with Risk Graph (Figure 4-1) using the following 
parameters: 


e Consequence Severity (number of people exposed + vulnerability); 
e Personnel Exposure (fraction of time exposed); 

Alternatives to avoid danger; and 

e Demand rate; 

Determine IL for environmental loss based on E; 

Determine IL for financial loss based on F; 

Required IL to be the highest of the three (S, E, F); 

Adjust IL if same risk is limited by other independent measures 

e Take the value of SIL derived in steps 1-8; 


e Identify independent risk reduction measures & adjust IL (PSV up to 2, 
F&G gas detection for safety=1, etc.): 


10. Record the results and any associated assumptions or actions; and 
11. Repeat steps 1 to 10 for each of the IPF loops. 


Si fo ™ EN 


The risk graph is shown in Figure 4-1 Risk Graph. The factors used to navigate 
through the matrix are set out in the subsequent sections. 
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Figure 4-1 Risk Graph 


Risk Graph 
Consequence Severity Personnel Exposure Alternatives to Avoid Danger Demand Rate 
(if the protection fails) 
Slight Injury SI |Not applicable NA (Not applicable NA |High 0.3 - 3yrs H 
Serious Injuries or 1 Death 1D J|Rare (<10% of time) R Possible P Low 3 -30 yrs L 
Multiple Deaths MD |Frequent F Not Likely NL |Very Low 30 yrs + VL 
Catastrophic Cc 
(>10 deaths use quantified) 
NB: If demand rate is Normal mode of 
related to occupancy P should only be selected if control / cause of 
Environmental E then use F all the following are true: demand 
|. Y 1. The operator will know the 
Financial / Reputation F protection has failed Operator H 
fe E 2. Independent means of 
shutting down are provided PCS bk 


3. There is sufficient time for 

the operator to respond prior 

To the hazardous event 

occurring. ESD / SSDS VL 


Consequence Type 
SAFETY (S) 


High Low Very Low 


SI 


Consequence Type 
ENVIRONMENTAL (E) 
Reportable Release RR 1 0 0 


Major temporary environmental 
impact (up to 3 months) MT 2 1 0 


Major longer term environmental 
impact (> 3 months) MP 3 2 1 


Consequence Type 
FINANCIAL (F) 
< 


< 
=$1M<$10M MM 2 1 0) 
>$10M >M 3 2 2 


Note: If wholly independent mechanical protection (e.g. PSV), or a wholly independent high integrity protection system (HIPS) specified to meet or 
exceed the requirements of SIL 3, is available and provides total protection against the scenario under consideration, the resulting SIL target for the 
protective system in question can be reduced by 2. 


For example: 

SCENARIO: Overpressure protection provided by ESD loop (PT, logic solver and valve) and PSV, either one operating will prevent the hazard 
occurring. 

RISK GRAPH TARGET: SIL target for ESD loop as per the above risk graph is SIL 3. 

ACTUAL TARGET: SIL target for the ESD loop taking into account the added protection provided by the PSV is 3 - 2 = SIL 1. 

SIL LEVELS: SIL 1 (PFD 0.1 — 0.01); SIL 2 (PFD 0.01 — 0.001); SIL 3 (PFD 0.001 — 0.0001); SIL 4 (PFD 0.0001 — 0.00001). 
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4.3 Risk Graph Criteria 


4.3.1 Introduction 


The Risk Graph is intended to allow the SIL assessment team to make objective 
judgements about the IPF in a consistent manner. In order to satisfy the overall 
project risk control objectives, the Risk Graph has been calibrated to meet KPC's 
corporate risk criteria, and to take account of risks from other sources. 


Calibration of the Risk Graph is a process of assigning numerical values to the main 
parameters. Each parameter has a range of an order of magnitude, which will 
produce a result within several orders of magnitude. For this reason, the risk graphs 
must be calibrated on a conservative basis to avoid the danger of under-estimating 
the unprotected risk and the amount of risk reduction required. 


This section describes a proposed set of criteria for the Risk Graph parameters to be 
used for the Hydra Gas Development Project. This is based on past industry 
experience and covers the following main parameters from IEC 61511 (Ref. 2-4): 


° Consequence severity (no. of people affected & vulnerability); 
° Personnel exposure; 
° Alternatives to avoid danger; and 


e Demand rate. 


4.4 Consequence Severity 


4.4.1 Safety Consequence 
The safety consequences are defined in Table 4-1. 


Table 4-1 Safety Consequences 


Potential Impact Description 


- No/slight effect First aid case and medical treatment case. Not affecting work 
performance or causing disability 


Sl Minor Injury Lost time injury. Affecting work performance such as restriction 
to activities or need to take a few days to fully recover (maximum 
one week) 


1D Serious injuries or 1 | Including permanent partial disability. Affecting work 

Death performance in the longer term, such as a prolonged absence 
from work. Irreversible heath damage. Total disability for a 
person, or a single fatality 


MD Multiple Deaths Multiple fatalities due to the incident (e.g. explosion) 
C Catastrophic Catastrophic event causing 10 or greater fatalities (e.g. large 
explosion) 


When the safety consequence is less than a minor injury, the integrity of loop does 
not need to be defined. 


4.4.2 Environmental Consequence 


The environmental consequences are summarised in Table 4-2. 
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Table 4-2 Environmental Consequence 


| Potential Impact | Description 


Reportable Release A quantifiable release requiring submission 


environmental regulatory authorities 


Major temporary | Major impact with potential environmental consequences lasting 
environmental impact | up to 3 months 
(up to 3 months) 


Major longer term | Major impact with potential environmental consequences lasting 
environmental impact | over 3 months 
(> 3 months) 


relevant 


to 


Venting of hydrocarbon gas is considered to be an acceptable mitigation measure 
during an emergency and therefore the environmental consequence is low. 


When the environmental consequence is less than a reportable release, the integrity 
of loop does not need to be defined. 


4.4.3 Financial Loss Consequence 


The financial loss consequence includes both the cost of repair/replacement of 
damaged equipment of parts (labour and parts) and the cost due to loss of 
production (or deferred production). 


The financial loss consequences are summarised in Table 4-3. 
Loss of asset 


When determining the financial loss, the cost of repair or replacing parts or 
equipment as well as the cost of labour to repair the equipment should be accounted 
for. The review should estimate the financial loss based upon the consequence and 
choose the corresponding consequence parameter. 


Loss of production 


Where the repair or replacement of equipment will require a shutdown, the loss of 
revenue due to loss of production should be included. KPC stated that loss of 1 day's 
production would cost approximately $1 million, and this value was used as the basis 
for each estimate. When spares are provided, the damaged equipment can be 
repaired off-line whilst production is continued with the standby equipment and 
therefore there is no associated loss of production. 


For each consequence parameter, the duration of shutdown is estimated that will 
correspond with the financial loss. 


Table 4-3 shows the equivalent financial loss parameter based upon the duration of 
shutdown. 
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Table 4-3 Financial Loss Consequence 


Parameter | Financial loss | Production loss 


<M Loss value less than | Total shutdown disruption, e.g. less than 1 day 
$1M 


MM Loss value between | Total shutdown, e.g. more than 1 but less than 10 days 
$1M and $10M 
>M Loss value greater | Long term total shutdown, e.g. more than 10 days 


than $10M 


4.5 Personnel Exposure 


This is a consideration for safety to personnel only, and is calculated by determining 
the length of time the area exposed to the hazard is occupied during a normal 
working period. If the time in the hazardous (i.e. exposed) area is different 
depending on the shift pattern then the maximum is selected. It is only appropriate 
to use R where it can be shown that the demand rate is random and not related to 
situations where occupancy could be higher than normal. The latter is usually the 
case with demands which occur at equipment start-up or with maintenance 
operations. Personnel exposure parameters are shown in Table 4-4. 


Table 4-4 Personnel Exposure Parameter 


Parameter Production loss 

Rare to more frequent exposure in the hazardous zone. The occupancy level is less 

than 0.1. 

F Frequent to permanent exposure in the hazardous zone. The occupancy level is 
greater than 0.1 


The frequency of exposure is not a consideration when considering financial loss or 
environmental risk and therefore is not used in the risk graph for these issues. 


4.6 Probability of Avoidance 


This is the probability of avoiding the hazardous event if the protection system fails to 
operate. The probability of avoidance is generally the same for the safety, financial 
loss and environmental assessment. Probability of avoidance parameters are shown 
in Table 4-5. 


Table 4-5 Probability of Avoidance Parameter 


Parameter Production loss 
P Possible 
NL Not Likely 


P is adopted if all of the conditions defined below are satisfied: 


° facilities are provided to alert the operator that the protection has failed; 


° independent facilities are provided to shut down such that the hazard 
can be avoided or which enable all persons to escape to a safe area; 
and 

° the time between the operator being alerted and a hazardous event 


occurring is definitely sufficient for the necessary actions. 
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NL is adopted if any of the defined conditions above are not satisfied. 


4.7 Demand Rate 


To determine the demand rate of a trip function, it is necessary to consider all 
sources of failure that can lead to a hazardous event. In determining the demand 
rate, limited credit can be allowed for control system performance and intervention. 
The performance which can be claimed if the control system is not designed and 
maintained according to IEC 61511 is limited to below the performance ranges 
associated with IL 1. No risk mitigation can be taken for a control function if the 
hazardous event is dependent on its failure. The purpose of the demand factor is to 
estimate the frequency of the hazard taking place without the addition of the Safety 
Instrumented System (SIS) or relief valves. 


If the demand rate is very high (e.g.10 per year) the IL has to be determined by 
another method or the risk graph recalibrated. In this case the mode of operation is 
high demand or continuous as defined in IEC 61511, Clause 3.2.43.2 (Ref. 4). 


The demand rate is grouped in to three ‘bands” as shown in Table 4-6. 
Table 4-6 Demand Rate 


| Parameter | Description, CS Empl | 
High (H) Demand rate from 0.3 to 3 per year. 


Low (L) Demand rate from 0.03 to less than 0.3 per year 


Very Low (VL) Demand rate less than 0.03 per year ESD 


4.8 IL Target Level 


The highest integrity level from the safety, financial loss and environmental 
assessments shall be selected as the required Integrity Level. 


For each of the safety instrumented functions operating in demand mode, the 
required IL shall be specified in accordance with levels as stated in Table 4-7 below 
(Ref. 3 & 4): 


Table 4-7 Probability of Failure on Demand for the IL1, 2, 3 and 4 


Parameter PFD 

IL 4 >=10-5 to < 10-4 
IL3 >=10-4 to < 10-3 
IL 2 >=10-3 to < 10-2 
IL 1 >=10-2 to < 10-1 


4.9 Nominal Demand Frequencies 


Nominal demand frequencies proposed for the IL specification are shown in Table 
4-8. 
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Table 4-8 Nominal Demand Frequencies 


Initiating Event Nominal Frequency Demand 
Rate 
Human Error (Routine once per 
month opportunity) 
Human Error (Non routine , low | 1/10 Years L 
stress) 
Control Loop Failure L 
Control Loop Failure 1/100 Years (Failure to position opposite to | VL 
that designated) 
Large Fire 1/100 Years VL 


In the majority of events causing demand on the IPF, the event will be assigned a 
demand rate of L. Examples are given in Table 4-9 below. However, the meeting 
also considered whether the demand rate should be increased or decreased 
depending on the specific circumstances of the demand. The IL worksheet records 
the justification for the choice of demand frequency when not taken as L (especially 
for H). 


Table 4-9 Nominal Demand Frequencies 


Event Demand Rate 


Operator closes a manual valve in error 
Pressure control failure 


ESD valve fails closed 
Failure to clean strainer 


The consequence class shall be decreased by 1 step if the potential consequences 
are expected to occur in less than 1 out of 10 failures. Note however that the 
vulnerability factors for the health and safety already take into account the probability 
of ignition, so no further reduction shall be taken into account for this. 


4.10 Mechanical Protective Systems 

Following specification of the initial integrity level, credit should be taken for the 
existence of mechanical protective systems providing protection against the 
identified hazard. 


An IL reduction of 2 can be taken when a full flow PSV is provided (without a 
bursting disc upstream). As a minimum, any high pressure trip that is provided as a 
protective system along with a mechanical protection shall be classified as IL 1 given 
that it also prevents the opening of a relief valve. The consequences of opening a 
relief valve are financial loss (cost to test and repair valve if opened), and 
environmental (venting of gas to atmosphere). 
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5 MAJOR FINDINGS AND RECOMMENDATIONS 


5.1 SIL Assessment Results 


Fourteen IPFs were reviewed and assessed. These are listed in Table 5-1. 
Table 5-1 IPFs Examined 


Work Sheet No. | Instrument Tag | Detected Condition P&ID 
1 90-PIT-001 HH High pressure at Hydra facility inlet 12211 
2 90-PIT-001 LL Low pressure at Hydra facility inlet 12211 
3 90-VAT-001 HH | High vibration on cooler fan 12221 
3 90-VAT-002 HH | High vibration on cooler fan 12221 
3 90-VAT-003 HH | High vibration on cooler fan 12221 
3 90-VAT-004 HH | High vibration on cooler fan 12221 
5 90-TIT-003 HH High temperature at exit of air coolers 12221 
6 90-LIT-001 LL Low interface level in separator 12222 
13 90-LIT-015 HH High level in cold vent drum 12261 
14 90-LIT-015 LL Low level in cold vent drum 12261 
15 90-LIT-007 HH High level in closed drains drum 12265 
16 New LAHH High level in separator condensate compartment 12222 
17 New LAHH High interface level in separator 12222 
18 New TALL Low temperature in vent drum 12261 


The results of the assessment are shown on the detailed assessment worksheets in 
section 7 of this report, and are summarised in Table 5-2. 


Table 5-2 IL Results 


Instrument Tag Detected Condition SIL AIL EIL 
90-PIT-001 HH High pressure at Hydra facility inlet 2 2 1 
90-PIT-001 LL Low pressure at Hydra facility inlet 1 1 0 
90-VAT-001 HH High vibration on cooler fan 0 0 0 
90-VAT-002 HH High vibration on cooler fan 0 0 0 
90-VAT-003 HH High vibration on cooler fan 0 0 0 
90-VAT-004 HH High vibration on cooler fan 0 0 0 
90-TIT-003 HH High temperature at exit of air coolers 0 1 0 
90-LIT-001 LL Low interface level in separator 0 1 0 
90-LIT-015 HH High level in cold vent drum 0 0 0 
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Instrument Tag Detected Condition SIL AIL EIL 
90-LIT-015 LL Low level in cold vent drum 0 0 0 
90-LIT-007 HH High level in closed drains drum 0 0 0 
New LAHH High level in separator condensate compartment 0 0 0 
New LAHH High interface level in separator 0 0 0 
New TALL Low temperature in vent drum 0 1 0 


It should be noted that the IL 2 rating 90-PIT-001 HH is the result of the poor 
reliability of the existing upstream protection systems on individual wells. If this 
reliability can be improved, as it should be, then the IL rating would reduce to IL 1. 


It should also be noted that the requirements for 90-TIT-O03 HH on the cooler exit, 
and hence the appropriate IL rating, will depend on the review. 


5.2 IPFs Not Assessed 


The P&lIDs show 90-XAT-001/2/3/4 HH on the cooler fans, which have been 
released from their current duty elsewhere, but the function of these instruments is 
not clear. In the circumstances it was agreed that these loops could not be reviewed 
until more information was available. 


It was also agreed that IPFs on the various vendor packages should not be reviewed 
at this stage as the information shown within the vendor packages is only indicative. 
When the vendor packages have been designed in detail they will each be subjected 
to a Vendor Package HAZOP, and the IPFs will be identified and can then be 
assessed. 


The fuel gas system, as currently shown on the P&IDs, is expected to be re- 
designed once the details of the gas engine fuel gas system have been resolved. 
This system will also be subjected to a HAZOP when the design has been finalised, 
and the IPFs will be identified and can then be assessed. 


The loops that were excluded from the assessment are listed in Table 5-3. 


Table 5-3 IPFs Excluded 


Tag Number P&ID Reason for Exclusion 

90-XAT-001 HH 12221 The function of these instruments was not clear 
90-XAT-002 HH 12221 The function of these instruments was not clear 
90-XAT-003 HH 12221 The function of these instruments was not clear 
90-XAT-004 HH 12221 The function of these instruments was not clear 
90-PIT-018 LL 12241 The fuel gas system is likely to be redesigned 
90-PIT-018 HH 12241 The fuel gas system is likely to be redesigned 
90-LIT-012 HH 12241 The fuel gas system is likely to be redesigned 
90-LIT-012 LL 12241 The fuel gas system is likely to be redesigned 
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Tag Number P&ID Reason for Exclusion 

90-TIT-007A/B HH 12242 The fuel gas system is likely to be redesigned 
90-TIT-OO08A/B HH 12242 The fuel gas system is likely to be redesigned 
IPFs on all vendor packages Not yet designed 


5.3 SIL Assessment Recommendations 


Four actions were recommended during the SIL assessment. These are summarised 
in Table 5-4. 


Table 5-4 SIL Assessment Recommendations 


Node Recommendation By 


5 It is proposed that a delayed timer is put on the high high temperature | KPC 
trip to give the operator time to intervene, but that production should 
subsequently be shutdown if the intervention is ineffective within a 


preset time 
6 Confirm that the sizing of the degasser vent can handle the gas | GENESIS 
blowby scenario Process 
14 Consider removing this trip as per HAZOP Action 40. There is no liquid | GENESIS 


level in the cold vent drum normally so the trip will be continuously | Process 
activated. The cold vent drum and the closed drain drum are both part 
of the same system, interconnected by both vapour and liquid lines, 
and the drains drum is the vessel that normally receives any liquid 


15 Ensure that the closed drain drum is sufficiently large to contain the | GENESIS 
maximum liquid inventory from the separator Process 
17 Review whether an independent alarm (rather than a trip) provides | KPC and 
sufficient protection Genesis 
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7 SILWORKSHEETS 
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GENESIS 1 


Trip: 90-PIT-001 HH 


System No./Name: Hydra Production Line Tie-in 
P&ID No: 12211 


Role of protection function: [Prevent overpressure of Hydra equipment 


Hazard Assessment Process: 


SIL MEETING 


Events leading to the hazard Event Frequency 


a 


high upstream pressure High 0.3 - 3yrs 


downstream ESDV valve fails closed Low 3 - 30 yrs 
blockage of the cooler Very Low 30yrs + 


malfunction of the controller drives PCV close Low 3 - 30 yrs 


w 


Consequence: Overpressure of Hydra equipment and potential damage and loss of containment leading to fire or explosion 
With no protection. 


Loss of production 


Functional requirements necessary to daaa 
Close Hydra facilities inlet 
prevent hazard: 


Process condition detected by 90-PIT-001 
HH 90-PIT-001 HH 


Final actuation device(s) necessary to 

prevent hazard: ESDV-001 
Functional requirements for orderly E 
shutdown and start-up: None Specified 


Method of Determining required integrity levels 


Exposure Time R oA EE EE DEER 
Avoidance Probabilly (Por ND 
Demand Rate (H, L or Vi) 
eno SC AL 
Integrity Required 


Other Protection Systems: Full flow PSVs at well site 
integry reduction (other protection) 
integrity reduotion (assumpiions) EE EE 


Revised integrity required 
Overall Integrity Required: 
Consequences of Spurious Trip Loss of less than 1 days production 
Assumptions: 


2 The reason ofthe high demand rate is that the so-called HIPPS systems upstream are not reliable. 


There are 7 wells in parallel, each protected by a full-flow PSV. However, failure of any one PSV will lead to overpressure in the pipeline upstream of the Hydra facilities 


so credit has been only a reduction of 1 SIL level. 


4 lL ee O 


4 


Recommendations 


4 


N 
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GENESIS 2 


Trip: 90-PIT-001 LL 
System No. / Name: Hydra Production Line Tie-in 
P&ID No: 12211 


Role of protection function: įDetect low pressure in Hydra facilities inlet 


Hazard Assessment Process: 


SIL MEETING 


Events leading to the hazard Event Frequency 


1 

Major loss of containment in pipeline VL Very Low 30yrs + 
2 ; A i ES 

Major loss of containment in Hydra facilities VL Very Low 30yrs + 


E SN MSN 
EE E 
SE RENE | 
Consequence: increased loss of inventory 


With no protection. 


Functional requirements necessary to 
prevent hazard: 

Process condition detected by 90-PIT-001 
LL 


Close Hydra facilities inlet and outlet 


© 
E 
H 
= 
fo) 
3 
= 
= 
= 


Final actuation device(s) necessary to 


prevent hazard: ESDV-001 and ESDV002 


Functional requirements for orderly 


shutdown and start-up: None Specified 


Method of Determining required integrity levels 


Safety Financial loss Environmental Loss 


Consequences 

Exposure Time (R or F) 
Avoidance Probability (P or NL) 
Demand Rate (H, L, or VL) 


N 


SIL AIL 


r 


Integrity Required 


| 


Other Protection Systems: Fire and gas detection system and hazardous area classification 
Integrity reduction (other protection) 
Integrity reduction (assumptions) 
Revised integrity required 

Overall Integrity Required: 
Consequences of Spurious Trip 
Assumptions: 


| | 
| | 
| | 


Probability of loss of containment taken as very low, however, probability of ignition is also very low as facilityis provided with fire and gas detection system and 


hazardous area classification. Therefore reduction of 1 taken. 


4 


w 


Recommendations 


4 


N 
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GENESIS 3 


Trip: 90-VAT-001/002/003/004 HH 
System No./Name: Hydra Air Coolers 
P&ID No: 12221 


Role of protection function: |To trip air cooler fans at high vibration to prevent damage to the air cooler 


Hazard Assessment Process: 


Events leading to the hazard Event Frequency 
1 

Air cooler fan running out of balance, due to bearing failure, or other similar causes. L Low 3 - 30 yrs 
i le O 
i WENN 
i Crt. CN O 
i kee 
Consequence: Damage to air cooler 


With no protection. 


reduced production 


Functional requirements necessary to 
prevent hazard: 


Process condition detected by 90-VAT- 
001/002/003/004 HH 90-VAT-001/002/003/004 HH 


Trip air cooler 


Final actuation device(s) necessary to 


prevent hazard: Ar cooler trip system 


Functional requirements for orderly 


shutdown and start-up: None Specified 


Method of Determining required integrity levels 


Safety Financial loss Environmental Loss 


Consequences 

Exposure Time (R or F) 
Avoidance Probability (P or NL) 
Demand Rate (H, L, or VL) 


E [= 
A 


SIL AIL 


D 
E 


Integrity Required 


| 


Other Protection Systems: Cowling and Caging 
Integrity reduction (other protection) 
Integrity reduction (assumptions) 
Revised integrity required 

Overall Integrity Required: 
Consequences of Spurious Trip 
Assumptions: 


| | 
| | 


2 The fan is contained within a cowling 


4 


N 


Recommendations 


4 


N 
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GENESIS 5 


Trip: 90-TIT-003 HH 


System No./Name: Hydra Air Coolers 
P&ID No: 12221 


Role of protection function: [Detect high temperature at exit of air coolers to limit the temerature in the carbon steel pipeline, and hence the rate of corrosion. 


Hazard Assessment Process: 


SIL MEETING 


Events leading to the hazard Event Frequency 


a 


Inability to control temperature because of fan failure or louver failure Very Low 30yrs + 


High ambient temperature Very Low 30yrs + 


Consequence: Temperature of fluids exported to hydra pipeline exceeds corrosion temperature limit and the pipeline coating limit, increased pipeline 
With no protection. corrosion. 


Functional requirements necessary to : 
Close Hydra inlet 
prevent hazard: 


Process condition detected by 90-TIT-003 
HH 90-TIT-003 HH 


Final actuation device(s) necessary to 

prevent hazard: ESDV-001 
Functional requirements for orderly E 
shutdown and start-up: None Specified 


Method of Determining required integrity levels 


Consequences 


Epose Tme RorF) Oo 


Avoidance Probability (P or NL) 
Demand Rate (H, L, or VL) 


ge SC AL 
Integrity Required 
Oner Protecion Systems: TT 


Integrity reduction (other protection) 


integri reduction (assumptions) ee 


Revised integrity required 


Overall integrity Required: 
Consequences of Spurious Trip _— OO 


Assumptions: 


2 When high temperature is detected, the operator will intervene and bring the temperature back within acceptable limit 


3 Corrosion inbihitor injection rate can be increased 


4 


N 


Recommendations 


itis proposed that a delayed timer is put on the high high temperature trip to give the operator time to intervene, but that production should subsequently be shutdown if 


the intervention is ineffective within a preset time - KPC 


Cs 


4 
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GENESIS 6 


Trip: 90-LIT-001 LL 


System No. / Name: Hydra Production Separator 
P&ID No: 12222 


Role of protection function: |Detect low interface level in separator to prevent condensate discharge, followed by gas blowby, to produced water system 


Hazard Assessment Process: 


SIL MEETING 


Events leading to the hazard Event Frequency 


a 


Malfunction of the interface level controller LIC003 Very Low 30yrs + 


Consequence: Discharge of condensate to the evaporation pond, followed by gas blowby to produced water system, potential loss of containment 
With no protection. 


Loss of production 


Functional requirements necessary to F 
Isolate production separator from produced water system 
prevent hazard: 


Process condition detected by 90-LIT-001 
LL 90-LIT-001 LL 


Final actuation device(s) necessary to 

prevent hazard: ESDV-003 
Functional requirements for orderly E 
shutdown and start-up: None Specified 


Method of Determining required integrity levels 


Exposure Time R oA a fe 
Avoidance Probabiliy (Por ND 
Demand Rate (H, L or Vi) 
ene SC AL 
Integrity Required 


Oner Protecion Systems TT 


integriyreduction (ohierproteoton) {Cd rd 
itegrityreduction (assumptions) EE EES 
Revised integrity required D űj 

Overall Integrity Required: 
Consequences of Spurious Trip 
Assumptions: 


1 


4 


N 


Recommendations 


1 Confirm that the sizing of the degasser vent can handle the gas blowby scenario - Genesis Process 


4 


w 
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GENESIS 13 


Trip: 90-LIT-015 HH 


System No./Name: Cold Vent Drum 
P&ID No: 12261 


Role of protection function: [Prevent liquid carryover and discharge from the cold vent and increased back pressure on the cold vent system 


Hazard Assessment Process: 


SIL MEETING GE 
pas [TT 
Events leading to the hazard Event Frequency 


a 


Malfunction of LIC016 drives LVO06 closed when there is liquid entering cold vent system Very Low 30yrs + 


ESDV007 fails closed Very Low 30yrs + 


Consequence: 
With no protection. 


Functional requirements necessary to 
prevent hazard: 

Process condition detected by 90-LIT-015 
HH 


Final actuation device(s) necessary to 
prevent hazard: 


Functional requirements for orderly 
shutdown and start-up: 


Method of Determining required integrity levels 


Safety Financial loss Environmental Loss 


Consequences 

Exposure Time (R or F) 
Avoidance Probability (P or NL) 
Demand Rate (H, L, or VL) 


SIL AIL 


r 


Integrity Required 


Other Protection Systems: 

Integrity reduction (other protection) 
Integrity reduction (assumptions) 
Revised integrity required 

Overall Integrity Required: 
Consequences of Spurious Trip Loss of half a day production (around 500k) - Frequency (around once a year) 
Assumptions: 


| 
| 


2 The very low demand rate is due to the low failure frequency of controller malfunction combined with very low proabability of liquid entering cold vent system 


4 


N 


Recommendations 


4 


N 
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GENESIS 14 


Trip: 90-LIT-015 LL 


System No./Name: Cold Vent Drum 
P&ID No: 12261 


Role of protection function: |To prevent loss ofa liquid seal in the base of the closed drains drum. 


Hazard Assessment Process: 


SIL MEETING ieee | 
pas [TT 
Events leading to the hazard Event Frequency 


a 


w 


Consequence: 
With no protection. 


Functional requirements necessary to 
prevent hazard: 

Process condition detected by 90-LIT-015 
LL 


Final actuation device(s) necessary to 
prevent hazard: 


Functional requirements for orderly 
shutdown and start-up: 


Method of Determining required integrity levels 


Safety Financial loss Environmental Loss 


Consequences 

Exposure Time (R or F) 
Avoidance Probability (P or NL) 
Demand Rate (H, L, or VL) 


SIL 


2 
= 
D 
r 


Integrity Required 


Other Protection Systems: 

Integrity reduction (other protection) 
Integrity reduction (assumptions) 
Revised integrity required 

Overall Integrity Required: 
Consequences of Spurious Trip 
Assumptions: 


| 
| 


1 


4 


N 


Recommendations 


Consider removing this trip as per HAZOP Action 40. There is no liquid level in the cold vent drum normally so the trip will be continuously activated. The cold vent drum 
1 and the closed drain drum are both part of the same system, interconnected by both vapour and liquid lines, and the drains drum is the vessel that normally receives 


any liquid - GENESIS Process 


i. Um O 


4 
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GENESIS 15 


Trip: 90-LIT-007 HH 


System No./Name: Closed Drains Drum 
P&ID No: 12265 


Role of protection function: |To prevent liquid carryover into the cold vent drum 


Hazard Assessment Process: 


SIL MEETING 


Events leading to the hazard Event Frequency 


a 


Malfunction of the LIC013 drives LCV013 open and LILLO12 fails to close ESDV005 Very Low 30yrs + 


2 Separator is drained down before inventory already in closed drain drum has been removed by the 


gully sucker Low 3 - 30 yrs 


Drain valve left open during start up and after maintenance Low 3 - 30 yrs 


w 


Consequence: Accumulation of liquid in the cold vent drum will trip the plant and cause loss of production 
With no protection. 


Functional requirements necessary to 
None 
prevent hazard: 


Process condition detected by 90-LIT-007 
HH 90-LIT-007 HH 


Final actuation device(s) necessary to 

prevent hazard: ESD 3 
Functional requirements for orderly E 
shutdown and start-up: None Specified 


Method of Determining required integrity levels 


Boose ime RoT SSS 
Avoidance Probability (P or NL) Po 
Demand Rate Lor) _—— 


ge SC AL 
Integrity Required 
Oner Protecion Systems: TT 


integriy reduction (ohierproteoton) {Cd Cd 
itegrityreduction (assumptions) EE EES 
Revised integrity required D O űOűò 

Overall Integrity Required: 
Consequences of Spurious Trip 
Assumptions: 


1 


4 


N 


Recommendations 


1 To ensure that the closed drain drum is sufficiently large to contain the maximum liquid inventory from the separator 


4 


w 
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GENESIS 16 


Trip: New LAHH on separator condensate compartment 
System No./Name: Production separator 
P&ID No: 12222 


Role of protection function: |To prevent liquid condensate carryover into gas outlet line of separator 


Hazard Assessment Process: 


SIL MEETING 


Events leading to the hazard 


1 
Malfunction of controller LICO06 drives LV 006 closed VL Very Low 30yrs + 


E D Ee 
E WEN MN 
EE E GG 
SE RE 
Consequence: May damage vessel internals and pressure control valve 

With no protection. Some liquid carryover into fuel gas system 


Functional requirements necessary to 
Close ESDV001/002 
prevent hazard: 


Process condition detected by New LAHH 
on separator condensate compartment LAHH on separator condensate compartment 


Final actuation device(s) necessary to 


prevent hazard: ESDVvo01/002 


Functional requirements for orderly 


shutdown and start-up: None Specified 


Method of Determining required integrity levels 


Safety Financial loss Environmental Loss 


Consequences 

Exposure Time (R or F) 
Avoidance Probability (P or NL) 
Demand Rate (H, L, or VL) 


SIL AIL 


D 
E 


Integrity Required 


Other Protection Systems: 

Integrity reduction (other protection) 
Integrity reduction (assumptions) 
Revised integrity required 

Overall Integrity Required: 
Consequences of Spurious Trip 
Assumptions: 


| 
| 


1 


4 


N 


Recommendations 


4 


N 
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GENESIS 17 


Trip: New LAHH on separator interface 
System No./Name: Production separator 
P&ID No: 12222 


Role of protection function: |To prevent water overflowing into condensate compartment of the separator, and then exported with the gas and condensate into pipeline 


Hazard Assessment Process: 


SIL MEETING 


Events leading to the hazard Event Frequency 


1 

malfunction of LIC003 L Low 3 - 30 yrs 
2 P 

ESDV003 fails closed L Low 3 - 30 yrs 


Se 
EE E 
SE REG E 
Consequence: Water carryover into pipeline leading to corrosion in the pipeline. This codition effectively negates the function of the separator. 


With no protection. 


Functional requirements necessary to 
ESD level 3 
prevent hazard: 
Process condition detected by New LAHH ` 
on separator interface LAHH on separator interface 
Final actuation device(s) necessary to 
prevent hazard: ESDV001/002 
Functional requirements for orderly S 
shutdown and start-up: None Specified 


Method of Determining required integrity levels 


Consequences 


Epose Tme RorF) EE 


Avoidance Probability (P or NL) 
Demand Rate (H, L, or VL) 


ei SC AL 
Integrity Required 
Oner Protecion Systems: TT 


Integrity reduction (other protection) 


integri reduction (assumptions) C ee 


Revised integrity required 
Overall ntegrity Required: OO 
Consequences of Spurious Tip ee 


Assumptions: 


2 Rate of production of water gives time before water interface level rises to a sufficiently to overflow into the condensate compartment 


4 


N 


Recommendations 


1 Review whether an independent alarm (rather than a trip) provides sufficient protection - KPC and Genesis 


4 


w 
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Khalda Petroleum Company 


GENESIS SIL Report 


Hydra Gas Development Project 


GENESIS 18 


Trip: New TALL on vent drum 
System No./Name: Cold vent drum 
P&ID No: 12261 


Role of protection function: |To prevent low temperature liquid flowing into the closed drain drum 


Hazard Assessment Process: 


SIL MEETING 


Events leading to the hazard 


1 The normal control action of LIC016 will transfer any liquid in the vet drum into the closed drains 
i VL Very Low 30yrs + 
drum, regardless of its temperature. 


SE SS 
E WEN MEN 
EE E 
SE RE E 
Consequence: Very cold liquid sent to closed drain drum, damage to equipment and potential loss of containment. Loss of production 


With no protection. 


Functional requirements necessary to 
prevent hazard: 

Process condition detected by New TALL 
on vent drum 


Final actuation device(s) necessary to 


prevent hazard: ESDV007 


Functional requirements for orderly 


shutdown and start-up: None Specified 


Close ESDV007 
TALL on vent drum 


Method of Determining required integrity levels 


Safety Financial loss Environmental Loss 


Consequences 

Exposure Time (R or F) 
Avoidance Probability (P or NL) 
Demand Rate (H, L, or VL) 


SIL AIL 


r 


Integrity Required 


| 


Other Protection Systems: 

Integrity reduction (other protection) 
Integrity reduction (assumptions) 
Revised integrity required 

Overall Integrity Required: 
Consequences of Spurious Trip 
Assumptions: 


| | 
| | 
| | 


2 Any liquid likely to be separated in the vent drum is likely to be very cold, though liquid formation is inherently unlikely. 


4 


w 


Recommendations 


4 


N 
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